To enable direct login to Piwik from my Virtualmin Piwik plugin, I am posting pre-set username-password combinations to Piwik through a frame. Cookies are be preserved (client-side) by pre-loading Piwik in a hidden iframe. However, it gets stuck with nonce validation inside the Login module where the nonce is checked against a form variable.

This works perfectly when nonce verification is bypassed.

- if(Piwik_Nonce::verifyNonce('Piwik_Login.login', $nonce))
+ if(true || Piwik_Nonce::verifyNonce('Piwik_Login.login', $nonce))

I have seen and worked around similar security checks in phpMyAdmin. But there's one noticible difference between Piwik and phpMyAdmin. Unlike Piwik, phpMyAdmin checks for the token in a cookie variable.

Nobody would want nonce check removed including me. However, it would be great if Piwik supports third-party/framed logins without any patches or implementation of just another full-featured login module. Ideally, I am thinking about two possible ways around this:

1. A new API method which would supply a nonce to trusted third-party scripts.

+ UsersManager.getAuthNonce (userLogin, clientUserAgent)

1. Rellocating the nonce from login form to a cookie. (By setting proper privacy headers, cookies from iframe'd sites can be preserved on client side. But form variables from inside iframe cannot be accessed.)

- $nonce = $form->getSubmitValue('form_nonce');
+ $nonce = $_COOKIE['auth_nonce'];

I would also like draw your attention to the issues users had recently with double requests from browsers/add-ons (see [1236]). Rellocating nonce to a short-lived cookie would most probably make a permanent solution to such future issues as well.

I am asking for this help here because the plugin I am working on is going to be released for public. Hence, I would prefer an official way to authenticate rather than patching or making complex additions to Piwik source.